Suggested Reading

Arch Linux Download and CF card creation

If you are using win32 disk imager then please be aware that the image file needs to be extracted onto a local physical drive (e.g. C: ) rather than a network/remote drive.

Login, Change the root password and Create a plain user

Having logged in as root, then make sure you change the default password:

# passwd

Then add a user, using a non-obvious username, e.g. PlnUsr456 : (follow the prompts)

# useradd -m PlnUser456
# passwd PlnUser456

Update your System and Install the Required Packages

Then update your system:

# pacman -Syu

Which is likely to update pacman itself – just follow the prompts and once this is complete then re-attempt the complete upgrade:

# pacman -Syu
:: Synchronizing package databases...
core is up to date
extra is up to date
community is up to date
alarm is up to date
aur is up to date
:: Starting full system upgrade...
resolving dependencies...
looking for inter-conflicts...
Proceed with installation? [Y/n]
:: Retrieving packages from core...

Simplistic IPv6 Firewall

By default IPv6 support is disabled in later Arch Linux releases. To enable it, edit /boot/cmdline.txt and remove the ipv6.disable=1 statement from the beginning of the line.

Following this modification it is sensible to reboot your Raspberry Pi and check that it has been correctly allocated an IPv6 address, using ifconfig:

You will need to install the iptables modules and scripts using the following command:

# pacman -S iptables

The following IPv6 firewall is a very simplistic example, where SLAAC IPv6 address allocation is in place. You will want to add additional source address and/or packet arrival rate checking on an internet-facing Raspberry Pi.

Once you're satisfied that the IPv6 firewall rules are performing correctly then they can be saved using the following command:

# ip6tables-save >/etc/iptables/ip6tables.rules

Note that if you're also using IPv4 then don't forget to setup a similar IPv4 firewall ruleset. Again this example is only suitable for use in a trusted environment and needs further consideration for an internet facing machine.

Once you're happy with your IPv4 firewall then you can save the active rules using the following command:

# iptables-save >/etc/iptables/iptables.rules

Note that it is import to check full functionality still exists with your firewall in place - this particularly applies to address allocation (e.g. DHCP and SLAAC) procedures which may mean that a misconfigured firewall makes your Raspberry Pi unreachable. This is one reason why it is useful to develop the two rulesets (IPv4 and IPv6) separately, since if you misconfigure one firewall and lose connectivity then you can fall back to the working protocol version to correct your mistake. Once you're happy that both firewall sets are correct then you can enable the services from boot:

# systemctl enable ip6tables
# systemctl enable iptables

You can check for dropped/logged packets (in the examples above logging is included for the IPv6 packet filter) using the following command:

Installing LAMP

Note: if you are running on a Model B version 1 then edit /etc/mysql/my.cnf to specify innodb_buffer_pool_size = 16M before attempting to start the service.

# systemctl start mysqld

Don't forget to add a MySQL password:

# mysqladmin -u root password ‘password’
# mysql -u root -p

Then issue the following command to start MySQL at boot:

# systemctl enable mysqld

Read and follow the Apache section - I suggest that you adjust the default DocumentRoot directory by inserting an additional directory level (e.g. htdocs) under /srv/http so that you can place other directories at this same level without them all being under the Document root:

If you follow this suggestion then don't forget to modify the DocumentRoot setting in the apache configuration file! Having followed the php installation guide then you'll also need to update php's base directory to match Apache inside /etc/php/php.ini:

# Install location for the CGI files
TARGETDIR=/srv/http/cgi-bin6
# HTTP URI PATH by which external hosts will access the CGI files.
# This may well be unrelated to the installation path if Apache is configured
# to provide CGI access via an alias.
# NB : the path should begin with a / but must NOT end with one ....
URIPATH=/cgi-bin6

Make sure you have created the /srv/http/cgi-bin6 directory (or whatever you have chosen) before attempting to build IPscan. Also make sure that your MySQL database is created following the instructions in the github repository. You will need to login to mysql using the root password you previously defined (above):

Then you should be able to make IPscan as root user and perform the install to transfer the necessary cgi files into your preferred cgi-bin directory:

# make && make install

Prior to running the IPscan tester it is advisable to add a cron job which will execute the sqltidy.pl script to remove the completed scan results to protect your users' security and minimise the size of your database:

First install the necessary perl mysql data base interface modules:

# pacman -S perl-dbi-mysql perl-mysql

Then modify the MySQL related entries in the sqltidy.pl script to match your chosen user, password, etc. and then ensure that the script runs standalone without any perl errors:

# /root/ipscan/sqltidy.pl

And finally edit the root cron job to insert the line shown below (modified to reflect your IPscan source directory):

# crontab -e

You may wish to move sqltidy.pl to another location, but ensure its permissions prevent ordinary users from reading or executing the file:

*/5 * * * * /root/ipscan/sqltidy.pl 2>&1

Check your Services and IPv6 address allocation

Now it is suggested that you check your Apache service is running using lsof:

Assuming that your Raspberry Pi has a valid IPv6 address and that your Apache and MySQL services are correctly running then you should be able to point a web browser to your cgi file:

e.g. towards http://[2001:470:971f:6::3]/cgi-bin6/ipscan-txt.cgi

Restrict SSH Logins

In general it is recommended that you apply all the standard SSH hardening approaches. You can also restrict logins to your newly created plain user (above) with the addition of the following line to your ssh configuration file (/etc/ssh/sshd_config). I'd also recommend that you choose an username which isn't a simple shortening of your own name: